b"Audit Report\n\n\n\n\nOIG-13-009\nManagement Letter for the Audit of the Federal Financing Bank\xe2\x80\x99s\nFiscal Years 2012 and 2011 Financial Statements\n\n\nNovember 13, 2012\n\n\n\n\nOffice of\nInspector General\nDEPARTMENT OF THE TREASURY\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF                              November 13, 2012\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR GARY BURNER, CHIEF FINANCIAL OFFICER\n                           FEDERAL FINANCING BANK\n\n            FROM:                 Michael Fitzgerald\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for the Audit of the Federal Financing\n                                  Bank\xe2\x80\x99s Fiscal Years 2012 and 2011 Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Federal Financing Bank\xe2\x80\x99s (FFB) Fiscal Years 2012 and 2011 financial\n            statements. Under a contract monitored by the Office of Inspector General, KPMG\n            LLP, an independent certified public accounting firm, performed an audit of the\n            financial statements of FFB as of September 30, 2012 and 2011, and for the years\n            then ended. The contract required that the audit be performed in accordance with\n            generally accepted government auditing standards; applicable provisions of Office\n            of Management and Budget Bulletin No. 07-04, Audit Requirements for Federal\n            Financial Statements, as amended; and the GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses a matter involving internal control over financial\n            reporting and its operation that was identified during the audit but was not required\n            to be included in the auditors\xe2\x80\x99 reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Shiela Michel, Manager, Financial Audits, at (202) 927-\n            5407.\n\n            Attachment\n\x0c                             KPMG LLP\n                             Suite 12000\n                             1801 K Street, NW\n                             Washington, DC 20006\n\n\n\n\nNovember 9, 2012\n\n\nInspector General, U.S. Department of the Treasury, and\nthe Board of Directors, Federal Financing Bank:\n\nIn planning and performing our audit of the Federal Financing Bank\xe2\x80\x99s (the Bank) financial\nstatements as of and for the year ended September 30, 2012, in accordance with auditing standards\ngenerally accepted in the United States of America; the standards applicable to financial audits\ncontained in Government Auditing Standards, issued by the Comptroller General of the United\nStates; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for\nFederal Financial Statements, as amended, we considered the Bank\xe2\x80\x99s internal control over\nfinancial reporting (internal control) as a basis for designing our auditing procedures for the\npurpose of expressing our opinion on the financial statements but not for the purpose of\nexpressing an opinion on the effectiveness of the Bank\xe2\x80\x99s internal control. Accordingly, we do not\nexpress an opinion on the effectiveness of the Bank\xe2\x80\x99s internal control.\nDuring our audit, we noted a certain matter involving internal control that is presented for your\nconsideration. This comment and recommendations, all of which have been discussed with the\nappropriate members of management, are intended to improve internal control and are\nsummarized in Exhibit I. We also provided in Exhibit II the status of the comment included in our\nletter arising from the fiscal year 2011 audit.\nOur audit procedures are designed primarily to enable us to form an opinion on the financial\nstatements and, therefore, may not bring to light all weaknesses in policies or procedures that may\nexist. We aim, however, to use our knowledge of the Bank gained during our work to make\ncomments and suggestions that we hope will be useful to you.\nThis communication is intended solely for the information and use of the Bank\xe2\x80\x99s management, the\nU.S. Department of the Treasury\xe2\x80\x99s Office of Inspector General, the U.S. Government\nAccountability Office, the Office of Management and Budget, and the U.S. Congress, and is not\nintended to be, and should not be, used by anyone other than these specified parties.\n\n\n\n\n                            KPMG LLP is a Delaware limited liability partnership,\n                            the U.S. member firm of KPMG International Cooperative\n                            (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0c                                                                                             Exhibit I\n\n                                  Federal Financing Bank\n                        Current Year Comment and Recommendation\n                                       September 30, 2012\n\n\n\nChange Management Procedures\nIn fiscal year 2012, we noted discrepancies in cash receipt amounts included in the cash receipt report\n(generated July 2012). It should be noted the original version of the cash receipts generated after the\nrespective month end were unaffected because the differences were the result of two system change\nrequests in the month of June. The changes only affected the cash receipts report generated July 9,\n2012.\n\nIn examining the reasons leading to the differences noted in the condition, we determined that while\nFFB management tests and approves change requests prior to implementing system changes, their\nchange management procedures are not comprehensive enough to ensure proper testing occurs prior to\nand subsequent to development and production. Due to the lack of regression testing, management was\nunable to detect the effect of the system change in production. Additionally, an FFB IT staff member\nwas not assigned to review in detail the change requests of development or production projects, created\nby the contracting firm, prior to the accountants performing their tests and approval of the changes.\n\nOffice of Management and Budget (OMB) Circular A-123 states, Management Accountability and\nControl, prescribes the expectation of management and the responsibility of managers for the quality\nand timeliness of program performance. Specifically, the Circular states that \xe2\x80\x9creliable and timely\ninformation is obtained, maintained, reported and used for decision making.\xe2\x80\x9d\n\nOMB Circular A-127 states that Agency financial management systems shall comply with the\nfollowing requirements: i. Documentation. Agency financial management systems and processing\ninstructions shall be clearly documented in hard copy or electronically in accordance with (a) the\nrequirements contained in the Federal Financial Management Systems Requirements documents\npublished by Joint Financial Management Improvement Program (JFMIP) or (b) other applicable\nrequirements. All documentation (software, system, operations, user manuals, operating procedures,\netc.) shall be kept up- to-date and be readily available for examination. System user documentation\nshall be in sufficient detail to permit a person, knowledgeable of the agency's programs and of systems\ngenerally, to obtain a comprehensive understanding of the entire operation of each system. Technical\nsystems documentation such as requirements documents, systems specifications and operating\ninstructions shall be adequate to enable technical personnel to operate the system in an effective and\nefficient manner.\n\nWithout a proper change control process over the application program regarding the flow of changes\nfrom development to production, potentially inaccurate program changes may be implemented into the\nproduction environment. Furthermore, if program development and modification activities are not\nmonitored (by FFB IT staff) relative to an established system development methodology, development\nof and modifications to programs may not be properly evaluated in connection with the posting logic of\nLoan Management Control System (LMCS), meet established design specifications, be properly\nreviewed and tested prior to introduction into the production environment.\n\n\n                                                2\n\x0c                                                                                           Exhibit I\n\n                                  Federal Financing Bank\n                        Current Year Comment and Recommendation\n                                      September 30, 2012\n\n\n\nRecommendations\nWe recommend that management strengthen change control procedures for LMCS and related report\nmodifications to conform to existing standards. Specifically, management should:\n\n\n1) Implement policies and procedures to provide adequate supervision, by FFB IT staff, when a\n   contractor develops requirements, testing, acceptance, and subsequent implementation initiatives\n   prior to moving into production.\n2) Strengthen change request form to include: all requirements for the change, scope of change\n   request including time period of change, life cycle of implementation and end user testing to\n   ensure all change requests are properly tested.\n3) Ensure that the level and sufficiency of testing are appropriate for specific change requirements;\n   that change requests are appropriately evaluated, authorized, and monitored to ensure they achieve\n   the users\xe2\x80\x99 requirements and do not negatively impact existing processing.\n\n\nManagement\xe2\x80\x99s Response\nManagement concurs with the finding and recommendations.\n\n\n\n\n                                               3\n\x0c                                                                                             Exhibit II\n\n                                     Federal Financing Bank\n                             Status of Prior Year Recommendations\n                                       September 30, 2012\n\n\n\n\n            Prior Year Comment                                    Current Year Status\n\n1. Fair Value of the Federal Credit Reform Act       During FY 2012, we noted several instances\n   Borrowings                                        where the Fair Value disclosure over borrowings\n                                                     was incorrectly calculated resulting in an\n                                                     understatement of $152 million. As a result, we\n                                                     reported this finding as significant deficiency in\n                                                     the Independent Auditors\xe2\x80\x99 Internal Control\n                                                     Report over Financial Reporting.\n\n\n\n\n                                                 4\n\x0c"